In the most recent campaign, Proofpoint said the campaign hooked users through fake Chrome/Firefox/IE browser updates (and a fake Flash update for good measure), and the attack was active for more than a year until the ad network, Traffic Junky, and the smut site lowered the boom.

As an example of the obfuscation the campaign used, Chrome users were hit with a JavaScript which beaconed back to the attackers' server: this prevented analysts working through the infection chain if their IP hadn't checked in.

“This makes it extremely unlikely that the JavaScript can be run alone and provide the payload in a sandbox environment. This is most likely why this component of the chain has not been documented previously.”

“It should be noted that both P0rnHub and Traffic Junky acted swiftly to remediate this threat upon notification”, Proofpoint noted in its post. ®

Bootnote: Using "Pr0rnHüb" instead of the site's real name helps our news to pass content filters so you can enjoy this news at work.